Engineering expertise is needed to secure control systems

July 19, 2018, I gave a presentation on control system cyber security to the National Society of Professional Engineers (NSPE) in Las Vegas. This presentation as well as my blog, https://www.controlglobal.com/blogs/unfettered/cyber-security-of-sensors-are-not-being-addressed-and-vulnerabilities-are-not-correlated-to-system-impacts/, was a response to the network-centric view of cyber security, including for control systems. Network cyber security (IT and OT) is necessary, but NOT sufficient to secure control systems. Process sensors, actuators, and drives and their lower level networks have minimal to no security nor authentication. These devices are the control system end devices and are not the same as IT end devices. Moreover, these tens of millions of devices may not be able to be updated to what is considered minimally acceptable cyber security. This was the stimulus for ISA99 to form a task group to reassess the adequacy of the IEC62443 series of standards for field devices and field device networks (TG7). These engineering systems directly affect process reliability and safety. They require an engineering understanding of the systems and their impact, yet the engineers have not been adequately involved. As control system cyber security affect industries as diverse as power grids, process plants, pipelines, manufacturing, transportation, and defense, it affects multiple standards organizations such as ISA, ASME, IEEE, API, NERC, ANSI, CIGRE, etc. I believe my NSPE presentation stimulated interest in the engineering profession taking a more active role in securing control systems. There was a desire expressed by several key individuals about NSPE talking a more active role in control system cyber security.

Joe Weiss